Updated: 2009-04-09
Lightweight Directory Access Protocol (LDAP) is an Internet protocol that software programs can use to query directory services so users can easily find other e-mail users on the Internet or corporate intranet. Microsoft Exchange Server supports LDAP queries, enabling users to look up address information on the server. LDAP can also be used to search a number of global directories on the Internet, such as Yahoo!
Enhanced LDAP support in Microsoft Office Outlook 2007 includes the ability to disable certain searches (directory browsing) by default and the option to create customized filters. You can configure LDAP search behavior by using the Office Customization Tool (OCT) or a Group Policy setting. When you define custom filters, you can provide the filters to users by setting registry keys or by using an Outlook Profile (PRF) file.
Configuring LDAP directory browsing
By default, Office Outlook 2007 directory browsing or Virtual List View (VLV) searches for LDAP are disabled, and users can enable the feature.
Disabling directory browsing
You can prevent users from using directory browsing by configuring a setting in Group Policy.
You can lock down the setting to enforce disabling directory browsing by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool, in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.
The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.
To disallow enabling directory browsing for LDAP by using Group Policy
-
In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
-
To customize how results are displayed, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous, double-click Turn on VLV Browsing on LDAP servers.
-
Click Disabled.
-
Click OK.
More information about LDAP directory browsing
In Outlook 2003, directory browsing was enabled by default. However, users must work with small LDAP directories when using directory browsing. A new registry key was provided with Outlook 2003 Service Pack 2 to allow VLV searches to be disabled. Office Outlook 2007 uses the same registry keys to regulate this feature. If your environment uses small LDAP directories and requires directory browsing, you can enable the feature by configuring the option in the Office Customization Tool or by setting the registry key (to make it a default option), or by using Group Policy (to enable and lock down the setting).
If you do not lock down the setting, users can enable or disable the option by using the check box on the Search tab of the Microsoft LDAP Directory dialog box in Outlook.
The existing registry key that managed this LDAP setting in earlier versions of Outlook continues to override server-specific settings that users choose. The registry key is:
Copy Code | |
---|---|
HKCU\Software\Microsoft\Office\12.0\Outlook\LDAP\DisableVLVBrowsing |
If this registry key is set to 0, the check box is cleared and dimmed so that users cannot modify it.
If this registry key is set to 1, the check box is selected and dimmed so that users cannot modify it.
Default and customized check names filters
Outlook uses the following default LDAP filters if you do not provide a custom check names filter. You can define a custom filter—search base—that describes the specific query for checking names and returning a list of matching entries from the LDAP directory.
Default LDAP filters
Outlook uses a default filter if the registry key for setting a custom check names filter is empty. The default filter used depends on two criteria:
-
Is Active Directory server used?
-
Is a browse list display requested or is an e-mail name queried?
If the user requests a browse list, the results include items that are not e-mail addresses, such as printers.
The following are the default filters for each scenario:
-
For queries using an Active Directory server, where a user queries an e-mail name:
(&(mail=*)(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(displayName=%s*))
By including the (mail=*) value, the e-mail name is required by this filter.
-
For queries using an Active Directory server, where a browse list is displayed (which can include items that are not e-mail names):
(&(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(displayName=%s*)))
-
For queries using any other server (not Active Directory), with an e-mail name query:
(&(mail=*)(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*))
-
For queries using any other server (not Active Directory), with the browse list displayed:
(&(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)))
Defining customized LDAP filters
You can provide a custom LDAP filter so that users can query additional information you provide on your LDAP server. You can define a custom filter by using an Outlook Profile (PRF) file, or you can write the custom filter string directly into the Outlook profile in the registry.
For example, you might have a CustomerID property, which is not included in the default filter. You could define the following LDAP custom filter to allow users to search on the CustomerID property:
Copy Code | |
---|---|
(&(mail=*)(|(mail=%s*)(displayName=%s*)(customerID=%s*) |
Note: |
---|
The LDAP Request For Comments (RFC) defines the format for creating search filter strings. For more information about constructing LDAP filters, see LDAP Request For Comments (RFC). |
You can also set a blank search base by creating a blank filter. This is useful when you want LDAP to use the default filter specified in the RootDSE. You create a blank filter by clearing the registry entry or by setting the CheckNames property to "" in the Outlook Profile (PRF) file.
Define a custom filter by using a PRF file
-
In a text editor (such as Notepad), open the PRF file. You can use the Office Customization Tool to create a default PRF file to edit. For more information, see Outlook in Office Customization Tool in the 2007 Office system.
-
In Section 4 (which contains the default values for each service), enter CheckNames= as a new property and type the custom search filter as the value. For example, enter the following:
&(mail=*)(|(mail=%s*)(displayName=%s*)(customerID=%s*)
-
In Section 6 (which contains the mapping values for profile properties), define the CheckNames property. In the [LDAP Directory] section, enter the following new entry:
CheckNames=PT_STRING8,0x6624
-
Save the file.
You can then deploy the PRF file to your users. For more information, see Apply an Outlook Profile (PRF) File to configure Outlook profiles.
You can also configure other LDAP options by using a customized PRF file. See Example: Defining LDAP options in a custom PRF file later in this topic.
Define a custom filter by using the registry
-
Start the registry editor, and then search for the registry key 001e6604.
-
Define a new LDAP search string as the registry key value, or replace the existing value.
-
Exit the registry editor.
In addition to using a custom filter for an e-mail name query, Outlook might use the same filter in a converted form for a browse list query. Outlook uses the custom filter in a converted form when the Enable Browsing check box is selected in the Search tab in the Microsoft LDAP Directory dialog box in Outlook. If you enable the browsing feature, or allow it to be enabled by users, you can help prevent search errors for users by testing the filter for both querying e-mail names and for bringing up a browse list.
Mapping server LDAP properties to Outlook MAPI properties
When you configure custom filters, it can be helpful to know the MAPI property names that correspond to the LDAP display names.
MAPI property name |
MAPI ID |
LDAP display name |
PR_USER_CERTIFICATE |
3a22 |
usercert |
PR_BUSINESS_TELEPHONE_NUMBER_A |
3a08 |
telephonenumber |
PR_GIVEN_NAME_A |
3a06 |
givenName |
PR_INITIALS_A |
3a0a |
initials |
PR_STREET_ADDRESS_A |
3a29 |
streetAddress |
PR_LOCALITY_A |
3a27 |
l |
PR_STATE_OR_PROVINCE_A |
3a28 |
st |
PR_POSTAL_CODE_A |
3a2a |
postalCode |
PR_COUNTRY_A |
3a26 |
co |
PR_TITLE_A |
3a17 |
title |
PR_COMPANY_NAME_A |
3a16 |
company |
PR_ASSISTANT_A |
3a30 |
msExchAssistantName |
PR_DEPARTMENT_NAME_A |
3a18 |
department |
PR_BUSINESS_TELEPHONE_NUMBER_A |
3a08 |
telephoneNumber |
PR_HOME_TELEPHONE_NUMBER_A |
3a09 |
homePhone |
PR_BUSINESS2_TELEPHONE_NUMBER_A |
3a1b |
otherTelephone |
PR_HOME2_TELEPHONE_NUMBER_A |
3a2f |
otherHomePhone |
PR_PRIMARY_FAX_NUMBER_A |
3a23 |
facsimileTelephoneNumber |
PR_MOBILE_TELEPHONE_NUMBER_A |
3a1c |
mobile |
PR_ASSISTANT_TELEPHONE_NUMBER_A |
3a2e |
telephoneAssistant |
PR_PAGER_TELEPHONE_NUMBER_A |
3a21 |
pager |
PR_COMMENT_A |
3004 |
info |
PR_EMS_AB_PROXY_ADDRESSES |
800f |
proxyAddresses |
PR_USER_X509_CERTIFICATE |
3a70 |
userSMIMECertificate |
PR_EMS_AB_X509_CERT |
8c6a |
userCertificate |
Example: Defining LDAP options in a custom PRF file
You can customize a PRF file to include LDAP options, such as defining a custom names filter or enabling browse list capability. Here is a sample PRF file with several LDAP options configured.
Office Customization Tool;
**************************************************************
; Section 1 - Profile Defaults
;**************************************************************
[General] Custom=1
DefaultProfile=Yes
OverwriteProfile=Append
ModifyDefaultProfileIfPresent=TRUE
;**************************************************************
; Section 2 - Services in Profile
;**************************************************************
[Service List]
Service1=LDAP Directory
;***************************************************************
; Section 4 - Default values for each service.
;***************************************************************
[Service1]
UniqueService=No
ServerName=ldap.boeing.com
DisplayName=BoeingCorporate
ConnectionPort=389
UseSSL=FALSE
UseSPA=FALSE
EnableBrowsing=1
UserName=
SearchBase=
SearchTimeout=60
MaxEntriesReturned=100
;This is where the value is defined CheckNames=(&(mail=*)(!(mail=%s*)(customerID=%s*)))
;This specifies whether the Custom search base Boolean flag is set
DefaultSearch=1
;***************************************************************
; Section 6 - Mapping for profile properties ;*************************************************************** [LDAP Directory]
ServiceName=EMABLT
ServerName=PT_STRING8,0x6600
UserName=PT_STRING8,0x6602
UseSSL=PT_BOOLEAN,0x6613
UseSPA=PT_BOOLEAN,0x6615
DisplayName=PT_STRING8,0x3001
ConnectionPort=PT_STRING8,0x6601
SearchTimeout=PT_STRING8,0x6607
MaxEntriesReturned=PT_STRING8,0x6608
EnableBrowsing=PT_BOOLEAN, 0x6622
SearchBase=PT_STRING8,0x6603
CheckNames=PT_STRING8,0x6624
DefaultSearch=PT_LONG, 0x6623
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Office Resource Kit information.